Re: A firewall won't stop this one
From: Volker Birk (bumens_at_dingens.org)
Date: 11/06/03
- Next message: Tyler Kyte fan: "Re: False critical update for Internet Explorer"
- Previous message: Sue Mosher [MVP]: "Re: Macros and Outlook?"
- In reply to: Stephen K. Gielda: "Re: A firewall won't stop this one"
- Next in thread: Stephen K. Gielda: "Re: A firewall won't stop this one"
- Reply: Stephen K. Gielda: "Re: A firewall won't stop this one"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 6 Nov 2003 21:43:06 +0100
Stephen K. Gielda <steve@no-spam-packetderm.com> wrote:
> FreeBSD and IPF can be considered a personal firewall when run host
> based
OK, different definition of terms again. I would not call everything
which implements host based filtering a "Personal Firewall".
But if you're trying to secure a host with host based filtering,
and that software implies a security flaw which can be exploited,
that host based filtering does make your host unsecure but not
secure.
I never heard of such an exploit in ipf BTW. The only one I remeber
is the problem with kernel based ftp gatewaying - of course one
could attach ports other than 21 on the gatewaying machine. But
that was clear, because FTP features that, and nobody I know has ever
used it.
> it can implement virtual machines therefore your statement is
> false. To make your statement true it should read "no windows based
> Personal Firewall" implements virtual machines."
For our definitions differ, I agree with your statement here.
But: ipf does not implement virtual machines.
Perhaps you're referencing jail() as in FreeBSD 5? That is not a
virtual machine concept. VM concepts include vmware, UML, MoL, vserver.
The only VM for a 4.4BSDlite I know is Plex86. But test it, you then
don't want to use it.
jail() is a kernel based sandbox concept for processes, and that
is a possible option if _every_ function of the kernel supports that.
So if a kernel supports such a feature natively, and it is no
"add on", it will work.
> Tiny will not run any unapproved exe, nor give mem or disk access to
> unapproved processes when properly configged.
You saw what I did? I did not run an executable. I just told the Windows
Explorer to do things for me.
Of course we could also code a shatter attack, shell we? Then no extra
process is needed. Or we just use a DLL, so no extra process is needed.
But I even doubt on the security of Tiny for denying new processes
if they're not modifying the kernel heavily.
>> Of course the point is not
>> to deny running that single program. You can use similar code whereever
>> you want, i.e. in every program which supports VBA, in every program
>> which is not firm against a shatter attack and so on.
> Only approved programs, but again you are only speaking windows here
> while mostly making general statements.
By talking about "Personal Firewalls" usually I'm talking about
Windows. I know such products for MacOS X also, but there they're
extra ridiculous, because you have ipfw.
>> > Again, name a current firewall that is only hardware.
>> I'm sorry, I do not use one, and I will not but if there is such
>> a implementation which is OpenSource.
> Opensource hardware firewall? If it's hardware only there is no source
> code.
You never saw VHDL code, did you?
> You've been claiming host based firewalls are worthless
No, I did not. I said, host based filtering does not implement a firewall.
And host based filtering can be useful, if it is not bad implemented.
All "Personal Firewalls" I know do implement it very bad.
Sandboxes for processes usually need a VM concept or they're ridiculous.
The exception is the FreeBSD kernel - with jail() it offers an alternative
for sandboxing processes by implementing the needed functionality through-
out the whole kernel code.
VB.
-- X-Pie Software GmbH Postfach 1540, 88334 Bad Waldsee Phone +49-7524-996806 Fax +49-7524-996807 mailto:vb@x-pie.de http://www.x-pie.de
- Next message: Tyler Kyte fan: "Re: False critical update for Internet Explorer"
- Previous message: Sue Mosher [MVP]: "Re: Macros and Outlook?"
- In reply to: Stephen K. Gielda: "Re: A firewall won't stop this one"
- Next in thread: Stephen K. Gielda: "Re: A firewall won't stop this one"
- Reply: Stephen K. Gielda: "Re: A firewall won't stop this one"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
